alreadyIncorporated into BroadcomThe Symantec Threat Hunter Teamlast week warningThe hacker group Witchetty (also known as LookingFrog) recently launched an attack once morest the Middle East and Africa, using a rare image stealth (Steganography) technology to implant a backdoor Trojan into the Windows trademark.
Witchetty is a spy-type hacker organization. It was discovered in April this year by another information security company, ESET, and judged that it is one of the members of the spy hacker TA410, which is in turn associated with the Chinese hacker group APT10. The main feature of Witchetty is to use the X4 backdoor program in the first stage, and load the second backdoor LookBack in the second stage, and specifically infiltrate government organizations, diplomatic missions, charities and industrial organizations.
According to the investigation of the Threat Hunter team, from February to September this year, Witchetty targeted the governments of two Middle East countries and the stock exchange center of an African country for attacks. Hackers exploited the ProxyShell and ProxyLogon vulnerabilities on Microsoft Exchange Server. In order to install the Web Shell on the external network server.
In this wave of attacks, in addition to the existing tools, Witchetty also adopted a new tool, Backdoor.Stegmap, which can use image cryptography technology to extract payloads from bitmap (BMP) images. Hiding in a seemingly innocuous bitmap can fool victims, one of which was exploited by hackers using an old version of Microsoft’s Windows logo (below).
Image credit/Broadcom
Embedding malicious payloads in very secure-looking image files would allow hackers to place them on various reliable and free services like GitHub, rather than on a hacker-controlled C&C server On the device, the former is more difficult to detect.
In addition, the malicious payload embedded in the BMP file by the hacker is a fully functional backdoor program, which can create/remove directories, copy/move/delete files, and enable/disable programs. The end host downloads and executes files, reads/creates/deletes login codes, or steals files, etc.
The Threat Hunter team has released the network intrusion indicators of related attacks for external reference.
